Below you will find detailed information on these attacks and how the JPStream network protects against them:

Layer 3/4 attacks

DNS amplification attacks

SMURF attacks

ACK attacks

Layer 7 attacks

Making DoS a thing of the past

Layer 3/4 attacks

Most DDoS attacks target the transport and network layers of a communications system. These layers are represented as layers 3 and 4 of the OSI model. The so called "transport" layer of the network stack specifies the protocol (e.g., TCP or UDP) by which two hosts on a network communicate with one another. Attacks directed at layers 3 and 4 are designed to flood a network interface with attack traffic in order to overwhelm its resources and deny it the ability to respond to legitimate traffic. More specifically, attacks of this nature aim to saturate the capacity of a network switch, or overwhelm a server's network card or its CPU's ability to handle attack traffic.

With JPStream, all attack traffic that would otherwise directly hit your server infrastructure is automatically routed to JPStream's global network of datacenters. Once attack traffic is shifted, we are able to leverage the significant global capacity of our network, as well as racks-upon-racks of server infrastructure, to absorb the floods of attack traffic at our network edge. This means that JPStream is able to prevent even a single packet of attack traffic from a traditional layer 3/4 attack from ever reaching a site protected by JPStream.

DNS amplification attacks

DNS amplification attacks, one form of DRDoS, are on the rise and have become the largest source of Layer 3/4 DDoS attacks. JPStream routinely mitigates attacks that exceed 100Gpbs, and recently protected a customer from an attack that exceeded 300Gbps

JPStream's network was specifically designed to stop massive layer 3/4 attacks. By using Cloud DDos Service, we are able to announce the same IP addresses from each of our 23 worldwide data centers. The network itself load balances requests to the nearest facility. Under normal circumstances this helps us ensure that your site's visitors are automatically routed to the nearest data center on our network to ensure the best performance. When there is an attack, serves to effectively scatter and dilute attack traffic across our entire network of data centers. Because every data center announces the same IP address for any JPStream customer, traffic cannot be directed to any one location. Instead of the attack being many-to-one, it becomes many-to-many with no single point on the network a single point of failure.

SMURF attacks

One of the first amplification attacks was known as a SMURF attack. In a SMURF attack an attacker sends ICMP requests (i.e., ping requests) to a network's broadcast address (i.e., X.X.X.255) announced from a router configured to relay ICMP to all devices behind the router. The attacker then spoofs the source of the ICMP request to be the IP address of the intended victim. Because ICMP does not include a handshake, the destination has no means of verifying if the source IP is legitimate. The router receives the request and passes it on to all the devices that sit behind it. Each of these devices then respond back to the ping. The attacker is able to amplify the attack by a multiple equal to the number of devices behind the router (i.e., if you have 5 devices behind the router then the attacker is able to amplify the attack 5x

SMURF attacks are largely a thing of the past. For the most part, network operators have configured their routers to disable the relay of ICMP requests sent to a network's broadcast address.

ACK attacks

When a TCP connection is established there is a handshake. The server initiating the TCP session first sends a SYN (for synchronize) request to the receiving server. The receiving server responds with an ACK (for acknowledge). After that handshake, data can be exchanged. In an ACK reflection attack, the attacker sends lots of SYN packets to servers with a spoofed source IP address pointing to the intended victim. The servers then respond to the victim's IP with an ACK creating the attack.

Like DNS reflection attacks, ACK attacks disguise the source of the attack making it appear to come from legitimate servers. However, unlike a DNS reflection attack, there is no amplification factor: the bandwidth from the ACKs is symmetrical to the bandwidth the attacker has to generate the SYNs. The XcellHost network is configured to drop unmatched ACKs, which mitigates these types of attacks.

Layer 7 attacks

A new breed of attacks target Layer 7 of the OSI model, the "application" layer. These attacks focus on specific characteristics of web applications that create bottlenecks. For example, the so-called Slow Read attack sends packets slowly across multiple connections. Because Apache opens a new thread for each connection, and since connections are maintained as long as there is traffic being sent, an attacker can overwhelm a web server by exhausting its thread pool relatively quickly.

JPStream has protections in place against many of these attacks, and in real world experiences we generally reduce HTTP attack traffic by 90%. For most attacks, and for most of our customers, this is enough to keep them online. However, the 10% of traffic that does get through traditional protections can still be overwhelming to customers with limited resources or in the face of very large attacks. In this case, JPStream offers a security setting called "I'm Under Attack" mode (IUAM).

After verified as legitimate by the automated tests, visitors are able to browse your site unencumbered. Javascript and cookies are required for the tests, and to record the fact that the tests were correctly passed. The page which your visitors see when in IUAM can be fully customized to reflect your branding. I'm Under Attack mode does not block search engine crawlers or your existing JPStream whitelist

Making DoS a thing of the past

As technology advances DoS attacks will only increase in complexity and magnitude. Traditional on-premise DoS solutions simply can not adapt to the wide range of new attack vectors, and are rendered completely ineffective for attacks that exceed an organization's network capacity.

JPStream network is designed to mitigate and keep pace with the changing threat landscape. JPStream, as an operator of one of the largest global networks on the Internet, is able to leverage its aggregate network capacity across 24 points of presence, and is able to learn from attacks against any individual customer to protect all customers on our network.

Cloud DDOS Plans

Cloud DDOS Basic

Access your computer, DVR, or camera system remotely with a memorable hostname.

Features

Fast site performance

Broad security protection

Powerful stats about your visitors

Peace of mind about running your website so you can get back to what you love

Cloud DDOS Pro

Complete DNS hosting for a single domain in one easy-to-use interface.

Features

Faster site performance

Mobile optimizations

Web application firewall & SSL

Virtually real-time statistics

Insight into what's happening on your site

Cloud DDOS Business

For companies and startups that need maximum reliability, speed, and scalability.

Features

All Pro features, plus full customization

Advanced denial of service attack mitigation

Upto 100% uptime guarantee

Peace of mind about running your website so you can get back to what you love

Cloud DDOS Enterprise

For the biggest and best brands who can't afford a minute of downtime.